VYPR
Medium severity6.5NVD Advisory· Published Feb 20, 2018· Updated Jun 17, 2026

CVE-2018-6356

CVE-2018-6356

Description

Jenkins before 2.107 and Jenkins LTS before 2.89.4 did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins master they should not have access to. On Windows, any file accessible to the Jenkins master process could be downloaded. On other operating systems, any file within the Jenkins home directory accessible to the Jenkins master process could be downloaded.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.main:jenkins-coreMaven
< 2.89.42.89.4
org.jenkins-ci.main:jenkins-coreMaven
>= 2.90, < 2.1072.107

Affected products

1

Patches

Vulnerability mechanics

References

10

News mentions

0

No linked articles in our index yet.